Five tips to help avoid smishing scams

Smishing is a form of fraud that primarily takes place through texts on mobile devices. Learn how to detect and avoid this increasingly common type of scam.


5 minutes

Key takeaways

  • Smishing is phishing delivered by text — known as short message service, or SMS — to mobile phones and messaging applications.
  • A phish is any type of electronic communication that aims to steal personal or proprietary information for fraudulent purposes.
  • Be wary of responding to text messages from an unknown sender, especially if the message includes a link, asks for money or sounds urgent.

Smishing is a fast-growing version of one of the internet’s oldest and most successful scams. Like any other type of phishing, smishing aims to trick you into handing over sensitive data and information — only instead of using email, cyber criminals send their messages via text or short message service (SMS). Smish attempts are typically sent to mobile phone users as standard texts, but they can also be sent via popular messaging apps.


Smishing is a form of social engineering, where scammers exploit emotions like fear, sympathy, curiosity or greed to get individuals to divulge personal or business information. They do this by sending fraudulent texts to your phone or other mobile device, purporting to be from a trustworthy source, such as a delivery service, utility company, bank or government agency. The information they seek could include usernames, passwords, credit card numbers, bank account numbers, vendor names or other proprietary data. Cyber criminals then sell that data on the black market or use it to commit identity theft, empty bank accounts or redirect payments to themselves.


Criminals also use compromised phone numbers and spoofed or hacked accounts on popular messaging platforms to fake their identities. Smishing messages often contain links that take users to a website that may look legitimate, but actually steals usernames, passwords and other data when people log in. Some messages can even secretly install malware on victims' mobile devices.


Smishing has become more common, especially during the pandemic. In fact, non-email-based phishing attacks are also proliferating, with vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing) increasing sevenfold in the second quarter of 2022.


Smishing is potentially more appealing to cyber criminals because users are more inclined to trust texts over other forms of communication. In fact, people respond to 45 percent of their texts while only 6 percent of emails receive a response.2  This is likely due to years of email over-saturation; inboxes inundated by promotional offers and spam have trained users to become more suspicious.


Common smishing scams


Making false promises

Criminals employ a wide variety of smishing tactics to convince people to part with personal data — and money. They may make false promises of:

  • Gift cards, prize money, or other winnings
  • Low-interest or no-interest credit cards
  • Coupons and other discounts
  • Student loan debt forgiveness


Posing as legitimate companies

Smish attempts may also allege to be from legitimate companies with questions about your account or transaction. They may:

  • Claim to be a customer service representative needing to verify account information
  • Want to discuss a recent suspicious charge or problem with your payment
  • Send a fake invoice and ask you to contact them if you didn’t authorize the purchase
  • Pretend to be a package delivery notification or tracker


Preying on charity

Smishing criminals may even prey upon your charitable impulses by:

  • Requesting donations after a natural disaster or other catastrophic event, such as hurricane or wildfire relief
  • Posing as people you may know, such as a community organizer or politician, who would collect monetary contributions   

Five ways to protect against smishing

  • Don’t click hyperlinks in texts from suspicious or unknown numbers. This is doubly true if the link is a short, abbreviated URL. When used in SMS messages, shortened URLs are often an indicator that cyber criminals are trying to mask overtly fake URLs.
  • Be wary, if urged to pay or give out sensitive information pause and verify if the source is legitimate and trustworthy.
  • Never respond to texts from unknown or suspicious numbers – even to tell them to stop. Doing so will let scammers know your number is active, and you could be added to spam lists and harassed further.
  • Always keep your phone’s operating system up to date to protect against malware hidden in smishing links.
  • Pay attention to social engineering red flags, such as urgent messages or get-rich-quick fixes. If it seems too good to be true, it probably is.
  • Don’t trust texts asking for personal information, especially if they purport to come from real organizations. Remember that government agencies and legitimate companies — including Bank of America — will never text you asking for account details. If there’s any doubt, contact that person or organization through another trusted channel.